Truework API responses include a signature header that can be used to verify the authenticity of the API response.
Truework's public key used to validate the signature will be published on this page.
|KEY ID||NOT VALID BEFORE||NOT VALID AFTER||Base 64 Encoded Value|
The signature is included as a header named
X-Truework-Signature and includes the information required to verify the signature.
The signature has three parts:
signature. For example:
|Refers to the key id of the public key that can be used to verify the signature|
|Refers to which response headers were used in the construction of the signature. Each header key is lower cased, seperated by a space character|
|Refers to the actual signature that will be verified. Truework uses Ed25519 to generate the signature|
Based on the
headers part of the
Signature header, we can construct the message that we will use to verify the signature.
The message contains the following components, seperated by
- Header key and value, in the format
- Response body
For example, the message constructed for the API response:
Using the constructed message, public key and signature, we can verify the response payload.
To verify the signature, we first parse the signature header to extract its parts:
We then construct the message that we will use to verify the signature:
Finally, we verify the message using the constructed message, Truework's public key, and